Microsoft security czar speaks about Vista

Yes, the OS's security is 'annoying'

By Robert McMillan | 14 June 06

Ben Fathi knows a thing or two about security. He spent the first half of his 24-year career working as an operating-system developer, before moving to management. Before being named head of Microsoft's security group, he was the executive responsible for the SMB (Server Message Block) file-sharing protocol, which has had its share of security issues.

His new job as corporate vice president of Microsoft's Security Technology Unit will give him a higher profile outside of the company. He's in charge of Microsoft's response to hacker threats, and he must lay out the overall security strategy, as developers put the finishing touches on the highly anticipated Vista and Windows Server "Longhorn" products.

Though Fathi claims that he's not as strong a spokesman as his predecessor, Mike Nash, this seems like false modesty. In one of his first interviews since beginning his new job this month, he spoke at length on the wide range of issues before him as he works to keep Microsoft one step ahead of the bad guys. Following is an edited transcript of his interview.

PC Advisor: What would you like to achieve a year from now, as head of the security group?

Fathi: One of the areas that I'm really passionate about in security is what we call a trust ecosystem. What I mean by that is taking security from where it is today, where it's viewed by a lot of customers as a defensive technology - it's seen as a way of blocking bad things from happening on your machine - and taking that and turning it around into a technology that really enables you to do things securely and seamlessly without having fear. So you can take things like documents and share them with your friends and family or with workers in other companies securely.

We've made a lot of investments in that space, such as ActiveDirectory Federation Services and Rights Management Services. We've made the first steps, but we need to take that a long way, both in the consumer space and in the enterprise space.

I don't know if we're going to have something a year from now. I think for the next six months or so we're going to be concentrating on Vista and then Longhorn server. But that's something that, as we look at post-Vista planning, I've been pushing the team to look at and invest in heavily.

PCA: Beta testers have complained that some of Vista's security features make it to too hard to use. How much of a hit will ease-of-use take because of security?

Fathi: A lot of the comments that you've seen in blogs and articles are centred around UAC [User Account Control], and we took a lot of those comments to heart. We have talked to enterprise customers and we have talked to consumers. And for Beta 2, we've significantly reduced the number of dialogs. For RC1 and RTM we've also continued to do that work. We've added instrumentation into the system so we can monitor the top 100 apps that are having dialogs and pop-ups happen, so that we can work with those ISVs. And in some cases, we actually shim those apps internally. So you will see a large percentage of those problems go away as we get closer to RTM and as we get millions of people using the beta. [RC1 is Release Candidate 1, a follow-up test release of Vista expected later this year. RTM is Release to Manufacturers, the completed version that PC vendors install on their machines.]

We also did something that I just announced last night: the ActiveX installation service. This is something we've heard from our enterprise customers. They want to have the ability for an administrator to have an MMC [Microsoft Management Console] where they can approve internal websites or partner company websites and list the applications that can basically be white listed. So standard users can install those. We have done that and that will be available in RC1.

The other issue that we have thought about for UAC is parental controls for the consumer space. That's also in Beta 2.

So I agree with you that there's a certain amount of annoyance, but you can expect that with any product that in beta, and we are committed to significantly improving the usability of this.

PCA: Is client security something that Microsoft ultimately wants to be selling years from now, or do you want to get to the point where the operating system is just secure enough?

Fathi: If you look at OneCare, for example, OneCare is not just about security. It's about management; it's about taking over a consumer's machine and helping them in every way we can with everything from antivirus and antispyware to automatic backups, doing performance tuning, doing patch installation, and simplifying the overall management of that system.

You're going to see complete management and simplification solutions from us and one aspect of that is going to be security. Whether it's a big aspect or a small aspect is going to change over time. Some of those pieces of functionality will eventually make it into the OS, and we're going to look for other things we can do in a management solution to simplify people's lives.

PCA: Right, but on the corporate side you have Forefront Client Security, which doesn't do management. Either way, some of the things you talk about sound like features I would want in my operating system. Do you really think that it's going to be necessary to sell this type of product five years from now?

Fathi: I don't know. We'll let the customers decide. That's what it's all about. Let them have the choice and see what their feedback is, and continue to innovate in those spaces.